by Manfred Riepe
Experts working in the field of computer forensics, also known as e-discovery, face a multitude of challenges today, which affect not only the IT departments at companies, but also the legal departments. Close cooperation between a company’s IT experts and company lawyers should therefore be a top priority when it comes to e-discovery and forensic data analysis.
eDiscovery is about identifying, searching, capturing, securing and processing electronic data used in internal investigations or as evidence in civil or criminal proceedings.
Different data protection regulations in different countries pose a challenge for eDiscovery.
The increasing storage of data in clouds at external providers makes the work of data detectives more difficult.
The work of data forensic experts requires a great deal of sensitivity. They need to work with both the IT and legal departments.
The term e-discovery (electronic discovery) also refers to the work of the computer forensic experts who identify, search, record, secure and process all electronic data intended to be made available for use in internal investigations (compliance) or as evidence in civil or criminal proceedings.
Data protection: different countries, different customs
Different countries have very different data protection regulations in place, and they tend not to be compatible with one another. For example, companies facing a pending legal dispute in the U.S. may be made subject to a so-called legal hold, which obliges them to secure all data that may become relevant in future proceedings. If the hold is violated, a lawyer can obtain a title in civil proceedings against the company that has deleted internal data relevant to the ongoing proceedings.
This disclosure obligation is far-reaching: It is not just paper documents that are to be submitted as evidence, but all electronic data. This includes not only e-mails related to the subject of the dispute, but also SMS and WhatsApp messages, voicemails and other electronically stored information such as photos, tables, user data and profiles.
If the company refuses to surrender or undertakes prophylactic measures to delete data, draconian punishment awaits the offender under U.S. law. According to the Sarbanes Oxley Act, which was adopted following the unexpected bankruptcy of large U.S. corporation ENRON, offenders can face up to 20 years in prison and a fine of up to USD one million if evidentiary relevant emails are deleted or falsified in a fraud case.
The situation is quite different for personal information that is not protected under U.S. law but is subject to the European General Data Protection Regulation (GDPR). A Germany-based company with global operations is required to first extract all stored information in accordance with applicable data protection regulations and conceal the personal information before transferring data to the U.S. “These concealed areas,” says Michael Becker, “are ‘manufactured’. This means that images in TIF format are created from the original documents, in which the areas to be concealed are marked, making it impossible to recover the concealed information. The decision about what should be concealed is made by the client or the client’s legal representative; for e-discovery proceedings, this is done in consultation with the court and the opposing party.”
Tact is key
Data forensic experts do not go about their work collecting data on site by simply approaching employees and asking: “Dr Maier, can I please have your laptop?” An expert’s assignment largely depends on the on-site logistics. According to computer forensics expert Daniel Heinrichs, Business Development Manager at KLDiscovery, everything has to be clarified in advance. If this is not done, hostility may arise with the legal department and the IT department, whose purpose and personal responsibility is not to disclose data.
Collecting laptops and mirroring corporate databases is not only time-consuming and costly, it also requires tact: When performing their job, data detectives often walk a fine line between preserving evidence and safeguarding business secrets. In cases like this, according to Heinrichs, “forensic experts operate in high-security areas”. This could involve “a group of forensic experts on site extracting data and preparing it for on-site review”. Another option is to filter the data on site and to prepare the reduced database for review. However, this may be problematic, especially if the suspect is determining which search terms should be used to analyze the secured data, making obstruction possible. To prevent this, the unfiltered data record is “frozen” and stored in a safe at the court. A hash value or a “digital fingerprint” is created to ensure the evidence remains compliant. To achieve this, a digit sum comprising 32 digits is generated, which represents the exact data carrier and would deviate greatly from the original if even a slight change was made to the recovered evidence.
Cloud technology poses new challenges
The increasing use of cloud technology entails new challenges. Data is no longer located on company premises, but at an external provider. “We can’t just knock on their door,” explains Heinrichs from KLDiscovery Ontrack. “You practically have to take a ticket at an external provider.” This form of securing data can be very time-consuming: it can take three to four weeks to restore the data via external providers.
Company lawyers must be specific
The forensic data detective sometimes heads into mined territory. The cooperating IT department does not always report to the legal department, as it may have its own manager. This can lead to conflict. In cases like this, the forensic expert may have to act as an intermediary between IT and the company lawyers. Daniel Heinrichs remembers a case where he was tasked with securing data in the legal department while the works council protested loudly just outside the office door.
The objective must be for legal and IT departments to work hand in hand when it comes to e-discovery and forensic data analysis. This will require company lawyers to provide specific information on which data must be retained and which information does not require storage. Erasure processes as part of a routine system flow are considered unproblematic. Data that is irrelevant to business operations and to litigation proceedings should be disposed of regularly. To this effect, the legal department is tasked with drawing up specific instructions on how and when erasure processes are to be implemented at the company. In collaboration with the company lawyers, the IT department should then categorically and systematically store relevant data so that data required for legal proceedings can be quickly and efficiently segregated and made available for proceedings.
“We have the impression,” concludes Michael Becker, “that our role as an external service provider has been extremely well received by legal departments. We provide a service that could only be provided internally with great difficulty and at consistently high cost. It would be possible for legal departments, together with IT, to set up an infrastructure similar to ours, but it would rarely prove economically efficient. Even major international corporations are not doing this. In face of the pressure to deliver impeccable services and the possible threat to the company in the event of inadequate processing, companies are glad to outsource the liability risk to those with broad shoulders.”